Vulnerability

Vulnerability and threat activity for this time period was consistent with previous time periods. Significant activity included vulnerabilities in Microsoft Internet Information Services (IIS) server and SQL server, the release of Apple Mac OS X 10.6 (Snow Leopard), and a Google Gmail outage.

Microsoft released a security advisory to address a vulnerability in the IIS versions 5.0, 5.1 and 6.0 FTP service, as reported in IntelliShield alert 18951. The vulnerability could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with SYSTEM privileges. Exploiting the vulnerability requires the FTP service to allow anonymous write access. Microsoft confirmed this vulnerability, and updated software is available for some platforms. A security flaw was also reported in the Microsoft SQL server 2000, 2005, and 2008, which allows a user with administrative privileges to view unencrypted passwords of other users. Although this issue is likely a low risk for most environments, the flaw could impact the separation of administrator duties; increase the risk of insider threats; and enable the extension of privileges of an attacker who gains administrative access to the database. According to reports, Microsoft considers the flaw a minor issue and does not intend to release an immediate patch.

Google Gmail experienced an outage that lasted approximately two hours. The Gmail blog postings reported the problem as a cascading failure triggered by taking a small number of servers offline for routine maintenance. Gmail reported "slightly underestimating" the load that was transferred to the remaining servers, which stopped traffic and caused additional load on the remaining servers until all servers stopped accepting traffic. Read More

Apple released Mac OS X 10.6 (Snow Leopard) with early adopters reporting only minor flaws and bugs while running some 32-bit applications on the 64-bit operating system. The initial release of Snow Leopard reportedly included an older version of the Adobe Flash Player that is known to have multiple vulnerabilities. Users that have updated to Mac OS X 10.6 are advised to update their Flash Player to version 10.0.32.18, which is available at http://get.adobe.com/flashplayer/. Reports also indicate that fraudulent websites are offering downloads of the new Mac OS X version. Users are advised to only update their systems and applications from official Apple and Adobe websites.

Antivirus vendors reported a "wiretap trojan" with various names that captures recordings of Skype service VoIP communications. The trojan captures the communications prior to encryption through the Microsoft Windows audio processing. The trojan, however, does not exploit a vulnerability in Skype or Microsoft Windows. The captured communications can be converted to an MP3 format and saved on the attacker's computer. This trojan is likely to be used for directed attacks against specific individuals or systems and not the mass compromise of Skype VoIP communications.

Also during the time period, a cross-site scripting vulnerability was reported in Twitter that could allow an attacker to take over user accounts if a user views a malicious tweet message. According to Twitter, the website has been updated, but reports indicate the vulnerability may not be completely corrected. Users are advised not to follow untrusted sources, and to continue to use caution on all Web 2.0 and social networking sites. These sites are experiencing increased focus from malicious and criminal elements that are attempting to exploit the popularity of the sites.

In upcoming activity, the Microsoft Security Bulletin Advance Notification for September 2009 was released and includes five security bulletins. The bulletins will be released on Tuesday, September 8, and each bulletin is rated Critical by Microsoft. The bulletins impact Microsoft Windows 2000, XP, Server 2003, Vista, and Server 2008.

Cisco will release its semiannual Cisco IOS Software advisory bundle on September 23, 2009. Cisco moved to bi-annual Cisco IOS advisory releases in 2008. The last Cisco IOS Software advisory bundle was released in March 2009.

Oracle announced that the October 2009 Oracle Critical Patch Update that was scheduled for release on October 13, 2009, has been rescheduled for release on October 20, 2009. The new release date is meant to avoid conflicts with Oracle OpenWorld, which is scheduled for October 11-15, 2009.

IntelliShield published 83 events last week: 31 new events and 52 updated events. Of the 83 events, 66 were Vulnerability Alerts, three were Security Activity Bulletins, two were Threat Outbreak Alerts, eleven were Security Issue Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day

Date

New

Updated

Total

Friday

09/4/2009

8

13

21

Thursday

09/3/2009

3

7

10

Wednesday

09/2/2009

7

23

30

Tuesday

09/1/2009

5

8

13

Monday

08/31/2009

8

1

9

Weekly Total

—

31

52

83

2009 Monthly Alert Totals

Month

New

Updated

Monthly Total

January

148

392

540

February

227

249

476

March

222

335

557

April

164

206

370

May

218

175

393

June

232

209

442

July

128

167

295

August

176

225

401

Annual Total

1515

1958

3474

The IntelliShield alert metrics show a continued decline in the overall volume of vulnerability activity, as reported in Cisco's 2009 Midyear Security Report. The end-of-month alert totals for August 2009, were 3,474, while the end-of-month alerts total for August 2008, were 4,857. The results show a 28 percent decline for the year.

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft confirmed this vulnerability and updated software is available for some platforms.

Previous Alerts That Still Represent Significant Risk

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a DoS condition. Proof-of-concept exploit code is publicly available. Red hat has released Updates.

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Apple and Novell have released security advisories and updated software to address the ISC BIND dynamic update remote DoS vulnerability.

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability.

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability.

Microsoft IIS versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Physical

California Wildfires Threaten Radio and Cellular Infrastructure

Wildfires continue to threaten the city of Los Angeles, California (United States) and related power and telecommunications infrastructure. Transmitters atop Mount Wilson provide cellular telephone, radio, and television network service throughout Los Angeles. Situated to the north of Los Angeles, Mount Wilson is dangerously close to the fires. Electrical power lines surrounding the area of the fire have been threatened as well. The fires continue to burn in California, displacing residents and threatening outages that may affect the entire city. Read moreAdditional Information

IntelliShield Analysis: In addition to the risks to life and property, the danger to infrastructure continues, and although outages have not yet been reported, some may yet occur. Businesses are advised to implement plans for outages that are related to all types of risks, and distribute communication modes as a workaround for single outages. Additionally, the deployment of new infrastructure should take into account natural threats. By geographically distributing transmitter equipment, businesses can protect against threats to concentrations of telecommunication infrastructure such as those deployed on Mount Wilson.

Legal

United States Appeals Court Says Plainview Doctrine Does Not Apply to Electronic Searches

The United States (U.S.) Circuit Court of Appeals for the Ninth Circuit has ruled that the plain view doctrine does not apply to data that is stored on electronic devices, rejecting arguments from the U.S. Department of Justice. The case involved records that were stored on the computers of Comprehensive Drug Testing, Inc. (CDT). A warrant was issued to collect the records of ten Major League Baseball players, who were suspected of steroid use. However when the warrant was executed, instead of collecting only the records that pertain to the players in question, all records on the computer system were collected, including the records of hundreds of other players and many unrelated individuals. The opinion of the court states that the warrant was specific to only the records of ten players, and that if other records are collected during the warrant execution, a third party should be designated to segregate the other records prior to being given to government investigators. Read moreAdditional Information

IntelliShield Analysis: Although this ruling seems to make warrantless electronic searches illegal, the ruling actually highlights data that is not specified in a warrant and inadvertently discovered or collected. The ruling still allows searches that are mandated by a sufficiently broad search warrant, including so called "fishing expeditions" or searches of any electronic equipment where no search warrant is required, such as searches at border crossings. These searches have been either explicitly or implicitly agreed to because any person crossing a border with electronic equipment and any other item is subject to search. Businesses should remain current with developing precedents, and advise users, particularly those who travel internationally, to avoid legal issues.

Trust

Attack Against WPA Made Practical by Japanese Researchers

Researchers in Japan have developed a way to break Wi-Fi Protected Access (WPA) systems that use the Temporal Key Integrity Protocol (TKIP) in about a minute. WPA using TKIP now joins the ranks of Wired Equivalent Privacy (WEP) as very insecure. WPA was a replacement for WEP, which was rendered insecure by an attack after just a few years of existence. Although WPA encryption using Advanced Encryption Standard (AES) remains secure, WPA as a protocol has been depreciated in favor of WPA2. All devices displaying the Wi-Fi Alliance "Wi-Fi-certified" sticker since March 2006, support WPA2, and users are now urged to reconfigure their devices to use WPA2 wherever possible. Read MoreAdditional Information

IntelliShield Analysis: Security attacks as well as the security standards under attack continue to evolve. Just as Moore's Law has increased the speed and density of computing equipment, attacks on previously secure protocols have evolved to render those protocols insecure. Although the attack is currently beyond the reach of a casual user, it will not be long before the attack is coded into an easy to use program and becomes available to the world of hackers. The clued in network administrator will always stay apprised of evolving standards and move to them when they become stable.

Identity

There was no significant activity in this category during the time period.

Human

Back to School, Back to Basics

This time of year brings two information security events to the forefront: the return to school by students in many countries, including the United States (U.S.), and the month of October, which is National Cyber Security Awareness Month in the U.S. As students return to school, many are being met with an increased presence of computers and web-based education. Many students now have or are required to have personal computers, and books are being moved online to reduce costs, and assignments, teachers, and assistance with homework are available through school websites. Schools will also likely provide students with acceptable use policies and safe computing presentations. Similarly, this is the time of year for businesses to re-educate users on these very same security basics. An abundance of educational and reference material is available at the links below, and many of the major vendors, government and professional organizations will be holding security events throughout the month of October. Additional InformationAdditional Information

IntelliShield Analysis: Educators, parents, and managers can make use of the numerous websites and resources available to message and re-educate users. Most provide simple, straightforward advice and recommendations about the basics of cyber security. As complex, expensive, and intimidating as many cyber security issues can be, it is often a failure to perform basic practices that lead to more severe security problems. By using strong passwords and changing them regularly; updating software; enabling the included security features on computers and browsers; and avoiding known risky behaviors can provide users with a basic level of protection and usability. As social networking sites top the list for use by students and users, trends in criminal activity show an increased focus on these sites, attempting to exploit their popularity and users. Social networking sites should be used with an increased level of awareness that can be provided during security presentations.

Geopolitical

Cloud Computing Complicated by Global Context

The global economic downturn has proved a boon for cloud computing, as business and government entities that are caught between tight budgets and expanding demand turn to scalable, pay-as-you-go cloud services, such as Software as a Service (SAAS). The expanding demand has brought international players into the mix, including Indian offshoring giant Wipro, which last week announced a new SAAS offering that may compete with the likes of Amazon.com and IBM. Read moreAdditional Information

IntelliShield Analysis: Cloud computing has been called the ultimate form of globalization, a description which should align it with concepts like offshoring and outsourcing. However, physical proximity of data centers to the client remains important for latency reasons, prompting companies like Wipro to consider locating data centers close to their clients. A potentially more troubling concern may be the unwanted offshoot of a key cloud computing advantage, that of distribution. In an attempt to insulate clients from physical outages based on geographical location, Amazon Web Services, for example, provides so-called availability zones which allow distribution of data across various countries and regions. With data potentially residing in multiple jurisdictions, enterprises run the risk of falling victim to varying data protection and privacy laws. In the United States (U.S.), Sarbanes-Oxley compliance and data protection requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Patriot Act could lead governments to require a web services provider to hand over a client's data. In the European Union (E.U.), the Data Protection Directive addressed in part under the U.S.-E.U. Safe Harbor Act creates obstacles for the movement of data outside of E.U. legal jurisdiction.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.